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Abstract 

Certificates to a linear algebra computation are additional data struc¬ 
tures for each output, which can be used by a—possibly randomized— 
verification algorithm that proves the correctness of each output. Wiede¬ 
mann’s algorithm projects the Krylov sequence obtained by repeatedly 
multiplying a vector by a matrix to obtain a linearly recurrent sequence. 
The minimal polynomial of this sequence divides the minimal polynomial 
of the matrix. For instance, if the nxn input matrix is sparse with 
non-zero entries, the computation of the sequence is quadratic in the di¬ 
mension of the matrix while the computation of the minimal polynomial 
is once that projected Krylov sequence is obtained. 

In this paper we give algorithms that compute certificates for the 
Krylov sequence of sparse or structured nxn matrices over an abstract 
field, whose Monte Carlo verification complexity can be made essentially 
linear. As an application this gives certificates for the determinant, the 
minimal and characteristic polynomials of sparse or structured matrices 
at the same cost. 


1 Introduction 

We consider a square sparse or structured matrix A € By sparse or 

structured we mean that the multiplication of a vector by A requires less opera- 
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tions than that of a dense matrix-vector multiplication. The arithmetic cost to 
apply A is denoted by /r which thus satisfies < n(2n — 1) (n^ multiplications 
and n{n — 1) additions). In the following we also need to perform row-vector- 
times-matrix multiplications, which, by the transposition principle, cost 0(/r) 
operations [3]. In the following we will simply consider that both operations (left 
or right multiplication by a row or column vector) cost less than /i arithmetic 
operations. 

The main idea of this paper is to use a Baby-step/Giant-step verificatioir of 
Wiedemann’s Krylov sequence generation. Once the sequence is verihed, the 
remaining operations, of lower cost, can be replayed by the Verifier. 

The verification procedure used throughout this paper is that of essentially 
optimal interaetive certificates with the taxonomy of [8]. Indeed, in the follow¬ 
ing, we consider a Prover, nicknamed Peggy, who will perform a computation, 
potentially together with additional data structures. We also consider a Ven- 
fier, nicknamed Victor, who will check the validity of the computation, faster 
that just by recomputing it. 

By certificates for a problem that is given by input/output specifications, we 
mean, as in [15, 16], an input-dependent data structure and an algorithm that 
computes from that input and its certificate the specihed output, and that has 
lower computational complexity than any known algorithm that does the same 
when only receiving the input. Correctness of the data structure is not assumed 
but validated by the algorithm. 

By interactive certificate, we mean certificates modeled as ^-protocols (as 
defined in [7]) were the Prover submits a Commitment, that is some result of 
a computation; the Verifier answers by a Challenge, usually some uniformly 
sampled random values; the Prover then answers with a Response, that the 
Verifier can use to convince himself of the validity of the commitment. To be 
useful, such proof systems is said to be complete if the probability that a true 
statement is rejected by the Verifier can be made arbitrarily small. Similarly, 
the protocol is sound if the probability that a false statement is accepted by 
the verifier can be made arbitrarily small. In the following we will actually only 
consider perfectly complete certificates, that is were a true statement is never 
rejected by the Verifier. 

There two may ways to design such certificates. On the one hand, effi¬ 
cient protocols can be designed for delegating computational tasks. In recent 
years, generic protocols have been designed for circuits with polylogarithmic 
depth [13, 18]. The resulting protocols are interactive and their cost for the 
Verifier is usually only roughly proportional to the input size. They however 
can produce a non negligible overhead for the Prover and are restricted to cer¬ 
tain classes of circuits. Variants with an amortized cost for the Verifier can also 
be designed, see for instance [17], quite often using relatively costly homomor¬ 
phic routines. Moreover, we want the Verifier to run faster than the Prover, so 
we discard amortized models where the Verifier is allowed to do a large amount 
of precomputations, that can be amortized if, say, the same matrix is repeatedly 
used [5, 12]. 

On the other hand, dedicated certificates (data structures and algorithms 
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that are verifiable a posteriori, without interaction) have also been developed 
in the last few years, e.g., for dense exact linear algebra [11, 16, 10], even 
for problems that have no good circuit representation. There the certificate 
constitute a proof of correctness of a result, not of a computation, and can thus 
also stand a direct public verification. The obtained certificates are ad-hoc, but 
try to reduce as much as possible the overhead for the Prover, while preserving 
a fast verification procedure. 

In the current paper we follow the later line of research, that is ad-hoc cer¬ 
tificate with fast verification and negligible overhead for the Prover. 

In exact linear algebra, the most simple problem to have an optimal cer¬ 
tificate is the linear system solution, LinSolve: for a matrix A and a vector 
b, checking that x is actually a solution is done by one multiplication of x by 
A. The cost of this check similar to that of just enumerating all the non-zero 
coefficients of A. Thus certifying a linear system is reduced to multiplying a 
matrix by a vector: LinSolve^MatVecMult. In [8], two essentially opti¬ 
mal reductions have been made, that the rank can be certified via certificates 
for linear systems, and that the characteristic polynomial can be certified via 
certificates for the determinant: CharPoly^Det and Rank^LinSolve. But 
no reduction was given for the determinant. We bridge this gap in this pa¬ 
per. We first use Wiedemann’s reduction of the determinant to the minimal 
polynomial of a sequence, Det^MinPoly^Sequence, [21], and then show 
that the computation of a sequence generated by projections of matrix-vector 
iterations can be checked by a small number of matrix-vector multiplications: 
Sequence^MatVecMult. 

The complexity model we consider here is the algebraic complexity model: 
we count field operations, but tests (even such as checking the equality of whole 
vectors) are free and uniform sampling of random elements in a field is also free. 
This is justified by the fact that for all our proposed certificates, the number of 
equality tests is always lower than that of field operations and that the number 
of random samples is always lower than that of the communications, itself lower 
than that of the Verifier’s work. 

The paper is organized as follows. We define Wiedemann’s Krylov sequence 
formally in Section 2. Then we use a check-pointing technique to propose a 
first non-quadratic certificate in Section 3. Then we derive from this technique 
a recursive process that can yield a method of decreasing complexities for the 
Verifier in Section 4. The same general idea is modified in Section 5 to get a 
certificate verifiable in essentially optimal time. Finally, we show in Section 6 
how to derive certificates for the determinant, the minimal and the characteristic 
polynomial from these certificates for the Krylov sequence. 
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2 Wiedemann’s Krylov sequence 

We consider here the simple Wiedemann’s sequence S (no blocks), defined for 
two given vectors. 

Definition 1. For A G Vq G IF" and U € F", Wiedemann’s Krylov space 

is defined for i > 0 as: 

Kvo = = (A^Vof 

Wiedemann’s Krylov sequence is also defined as: 

s = (sH), = (c/^AWo). = (c/^y). 

In the following, the Prover will compute this sequence, potentially together 
with additional data structures, and the Verifier will check the validity of the 
sequence, once computed. 

Now, for a matrix A whose matrix-vector multiplication costs /i arithmetic 
operations, the original cost for the computation of 2n elements of Wiedemann’s 
Krylov sequence is trivially: 

W{n) = 2nfi + 4n^ = O {nfi). 

We summarize in table 1, the complexity bounds for certificates of Wiede¬ 
mann’s Krylov sequence, presented in this paper . 


Certificate 

Verifier 

Extra 

Communication 

Prover 

§3 

0{n^) 

0{n^) 

W{n) 

§ 4.1 

2^ + 0 {n^/n) 

O (ni/n) 

W{n) +0 ifJ-y/n) 

§ 4.2 

+ O {nf/n) 

O (rif/n) 

W{n) -b O (Ain2/3) 

§ 4.3 

2^^ - 1 - O inf/n) 

O \nf/n) 

W{n) + o{W{n)) 

§5 

O (^log^(n)) 

O (nlog^(n)) 

5W{n) 

§5 

O (/rlog(n) - 1 - nlog^(n)) 

O (nlog^(n)) 

7W{n) 


Table 1: Summary of the complexity bounds of the certificates presented in this 
paper for Wiedemann’s Krylov sequence 


3 An certificate 

3.1 A four steps Baby-step/Giant-step interactive proto¬ 
col 

The protocol has four steps: Victor first selects the vectors for the sequence 
that are sent to Peggy. Peggy then computes the sequence and keeps some of 
the intermediate vectors, called checkpoints. She then sends the sequence to 
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Victor together with the additional intermediate vectors which Victor will use 
to certify the received sequence: 

1. Communications from Victor to Peggy 

(a) Uniformly sample Vb £ F", 17 G F”; 

(b) Sends A, U, Vq. 

(c) Asks for a sequence of ^ + 1 elements. 

(d) Asks for a checkpoint every K < min{n, matrix-vector products. 
Communication is \A\ + 2n < fj, + 2n. 

2. Computations of Peggy: 

(a) Vi = AVi-i for i = 0..S; 

(b) s[i] = U^Vi for i = 0..S. 

Complexity is exactly that of Wiedemann’s sequence; that is O [nfi -I- n^) 
if i5 = 2n. 


3. Communications from Peggy to Victor 

(a) Sends Wj = Vjk = A^^Vq for j = 

(b) Sends s[i] for i = 0..(5. 

Communication \s + 5 \ = O 

4. Verifications of Victor. 

(a) Uniformly sample R = (r[i]) £ F^ and X £ F”, with X . 

Then first compute some baby steps: 

(b) Compute Z = in Kfi operations; 

(c) Compute T = r[i]U'^A^ in {K — l)fj, + 2Kn operations. 

For each j = 

(e) ='= ZWj-i m2x2n + n operations; // Checks the Wj with 
A 

(f) r[i]s[jK + i] ='= TWj] in 2K -|- 2n -I- 1 operations. // Checks 
the s[i] with R once Wj is certified 

The overall complexity of the verification step is bounded by: 


2K {fj. + n) 


'5' 

K 


{2K + 6n). 


( 1 ) 


Lemma 1. The above protocol is perfectly complete. 
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Proof. 4e: X^Wj = X^Vjk = X^A^^Vq = X"^ so that we 
also have X'^Wj = X'^A^V(j_i)K = Z'^Wj-i. 

4f: r[i]s[jK + i] = r[i]U'^VjK+i = r[i]U'^A'^Y jk = r[i]U'^A'^Wj] 

□ 


3.2 Optimal Verifier complexity 


Theorem 1. Let A G ]F"X" whose matrix-vector product can be computed in 
less than p > n arithmetic operations and a vector Vq G F". There exists a 
certificate of size: 


1 

7 ! 


\/ Sn{p + n) 


for the (5 + 1 first elements of Wiedemann’s Krylov sequence associated to A 
and Vq. This certificate is verifiable in time: 


4:'/3\/ 5n{p + n). 


With p = and S = 2n, this is a Verifier in time and commu¬ 

nications. 


Proof. The optimal value of K minimizes Equation (1) and is therefore close to: 




I nS 
p-\-n 


Substituting the latter into Equation (1) gives the announced time complexity. 
For the size of the certificate, apart from the matrix A itself, the additional com¬ 
munications are the initial vectors sent by Victor and the intermediate check¬ 
pointing vectors sent by Peggy. Once again substituting the value for K gives 
the announced complexity. □ 

We ran this choice on a very sparse matrix with 3 non zero elements per 
row. Results are shown in Table 2: computing the sequence took two hours, 
the thousand W checkpoints required about two giga bytes of data, and were 
checked in a little more than half a minute. 


Prover 

Communications 

Verifier 

Z Check Z T Check T 

1.8 hours 

1.9 GB 

5.6 s 14.5 s 7.0 s 6.0 s 


Table 2: Verification for a matrix with m = n = 253008, 759022 non-zeroes and 
of compressed size of 3.8MB. This is 506046 iterations, and K = 503 was chosen 
on one core of an i5-4690 @3.50GHz 
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3.3 Soundness 

For the soundness, we need to sample from a finite subset § of F. 

Theorem 2. If the Verifier samples R and X uniformly and independently 
from a finite subset S C F, then the Verifier mistakenly misses any error in the 
sequenee or in the check-pointing vectors with probability < 1/|S|. 

Proof 1. Wo = Vo is given. Thus, inductively, Peggy must find Wj for each 
j > 1 such that Mj = Wj — A^Wj-i satisfies X"'"Mj = 0, for a random 
secret X unknown to her. If Mj is non zero then there is 1/|S| chances 
that the dot-product is zero. 

2. Afterwards, let 0^ be the vector of 0j[i] = U^^A^Wj = U'^A>^^'‘Vq. Wj 
being correct, Peggy must find a vector with Aj[i] = s[jK -f i] such 
that Nj = Xj — Qj satisfies R^Nj = 0, for a random secret R unknown to 
her. If Nj is non zero there is 1/|S| chances that the dot-product is zero. 

□ 

To improve probability, as usual, it is possible to rerun the protocol with 
some other vectors X and R, ... 

3.4 Public verifiability 

The protocol is publicly verifiable. Indeed, no response from the Prover is 
requested after the selection of the challenge X and R. Therefore, any external 
participant can also generate its own X and R and re-check the Krylov space 
vectors and Wiedemann’s sequence, at the cost given in Theorem 1. 

3.5 Constants for block Wiedemann’s algorithm 

It is possible to use the same protocol to check the matrix sequence produced 
in the block Wiedemann’s algorithm [6] with a projection of si vectors on the 
left and S 2 vectors on the right. The following modifications have to be made, 
mainly replacing some vectors by blocks of vectors: 

, U G F”^'’S K, e Wj e S[i\ G F®i 

• X and Z remain in F" while R G and r[i] is in fact the transpose 

of a vector in F'*!; 

• and T G 

The length of the sequence is now I = ^ -\- O {\) [14, 19]. 

1. Communications become: (ns 2 ) + ^siS 2 - 

2. Verifications become: (AT^)-|-A'(si^-|-2sin-l-n) -I-l"-^] (4ns2 + A'(2siS2 + 
S 2 ) -I- 2nsiS2) 
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Now the optimal K becomes: 


K ~ I ^ I ^ 

y ^ si\l si\l fj.{^ + ^) + n 
As (^ + 2 ^) < 1, this is a Verifier in time bounded by: 

Si + 2(si + 1) -^Z + n) + 2 isiS 2 

With ^ and si = S 2 = s, the length of the sequence is ^ ~ 2^ so that 

the Verifier time becomes 


4 Recursive verification 

In fact, in the verification steps of Victor, in the protocol of Section 3, it is 
possible to also delegate the computation of Z and T. 

4.1 Denser matrices, Verifier in time 2;U + 

Next, we propose to delegate just the matrix-vector operations, so that we get 
a good complexity also on matrices with more than entries. The idea 

is that the Verifier can delegate his computations of several successive matrix 
vector product and check the whole list of computed vectors. Therefore he 
replaces matrix-vector products by checks of validity of vectors. The trick is 
that verifying a vector can be done with a single dot-product of cost 2n, while 
multiplying a matrix by a vector costs /i operations. 

This way, correctness of a full Krylov space can be checked as given in 
Algorithm 1. 


Algorithm 1 Checking the Krylov Space 
Require: a matrix A G and a vector Vq 

Require: a list of d vectors [Vb, Vi,..., Vb-i]; 
Ensure: [Vq Vi, ■ • ■ Vd-i] = [Vo, 4Vo,..., Vq]. 
1: For S C F, uniformly sample F G S”; 

2: Compute H = A\ 

3 : return HVi-i ='= Y'^Vi, for i = l..d. 


Lemma 2. Algorithm 1 is sound, perfectly complete and requires fi + Adn arith¬ 
metic operations. 

Proof. Perfect completeness is granted inductively because Vq is known and then 
since HVi-i = = Y'^A'^Vq = Y'^Vi. Soundness is granted because 

whenever AVi-\ — its dot-product with a uniformly selected F G §" will 

be zero only with probability |§|~^. Complexity for the Verifier is p, operations 
to compute H and then d checks performed by two dot-products of size n. □ 











The idea is to delegate the computation of both Z (Point 4b of the protocol 
of section 3) and T (Point 4c of the protocol of section 3). Then to only check 
both resulting Krylov spaces. Note that it is mandatory that this delegation of 
the computation of Z and T takes place after the commitment of the Wj and 
the s[i] by the Prover. 

In the complexity of Theorem 1, this replaces two Kfi factors (now an ad¬ 
ditional, but neglectible, cost to the Prover), each by a ^ -I- AKn factor. This 
gives a new complexity of 2/i -|- lOKTn + {‘^K + 6n) for the Verifier. There 

are some extra communications, the vectors used for the computation of Z and 
T, namely 2n{K — 1) Held elements. We have proven: 

Corollary 1. Let A € whose matrix-vector product can be computed in 

less than p > n arithmetic operations and a vector Vq € F". For any 1 < if < 
mw{n,(5}, there exists a sound and perfectly complete protocol verifying the first 
(5-1-1 elements of Wiedemann’s Krylov sequence associated to A and Vq, in time 
2p -|- lOKn -I- {2K -|- 6 n). The associated certificate has size . 

The extra work for the Prover is that of the computation of Z and T, both 
bounded by O {pK) = O , negligible with respect to the computation of 

the sequence, O (pn). 

In terms of computational time for the verifier, the associated optimal K 
factor becomes K = and the Verifier complexity is transformed into: 

4:n-\-2p AnVl^S. 

With (5 = 2n, this gives a Verifier complexity bounded by 2p 21.91n^-®, with 
a certificate of size bounded by 4.02n^-^. 

4.2 Optimal 2-levels of recursion and an certificate 

for Wiedemann’s algorithm 

Now, instead of just delegating the matrix-vector products, we delegate the 
whole computation of Z and T : 

1. For Z, it is actually sufficient to reuse the scheme of Section 4.1 with 
S = K, choosing a K 2 < K, and Z will be certified as the last Wj vector. 
The time for the Verifier for this step is thus bounded by 2p 10nK2 -\- 
^( 2 if 2 + 6 n). 

2. For T, the protocol is twofold: 

(a) Send the r[i], U and A, and ask just for T in return; 

(b) Only now, send a uniformly sampled vector 4 and ask for a certificate 
of the sequence F = 7 ( 1 ] = ?7^A®'I'; 
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(c) Then one can check that == 
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Theorem 3. For A G whose matrix-vector product can be computed in less 

than pL > n arithmetic operations and a vector Vq G F", there exists a sound and 
perfectly complete interactive certificate for the associated Wiedemann’s Krylov 
sequence of size O . This certificate is verifiable in time 

4/^ + 0 . 

Proof. We still use the protocol of Section 3, but replace the computation of Z 
and T by the above delegated scheme. 

The protocol is perfectly complete, since = '^r[i]{U'^A^'^) = 

Y,{r[i]U'^ A^)^ = T^. 

The protocol is sound because the 'y[i] are correctly verified by a sound 
protocol. Then 41 being unknown when asking for T, T cannot be engineered 
to satisfy the last check: if G = T —is non zero then there is 1/|S| 
chances that its dot-product with di* is zero. 

Verifier time and space for T are that of Corollary 1 for the sequence F, and 
a supplementary dot-product. Verifier time and space for Z are also that of 
Corollary 1. Therefore, since 6 n -|- 2K < 8 n, overall, the Verifier runs now in 
time bounded by: 

2 ^ 2 /i -|- 10 niF 2 + -\-2n-\-8n 

with a certificate of size bounded by: 

With S = 2n, optimal values for K and K 2 are now respectively and n^/'^ 
for a Verifier in time 4/i -|- G with a certificate of size O □ 

The extra work for the Prover is that of the computation of Z and T both 
bounded by O (fJ-K) = O of F (if done together with that of T, this 

requires only K dot-products), and of the Zs and Ts for the verifications of Z, 
T and F. Those are bounded by O {piK 2 ) = O All this is negligible 

with respect to the computation of the sequence, O (ptn). 

4.3 More levels and a Verifier in time jfi+t/k+oA) 

Once it is proven that the computation of Z and T can be delegated, then 
the computation of Z 2 and T 2 in their verification can also be delegated. The 
idea, is thus to use the protocol of section 4.2, also for Z and T, but with two 
parameters Ki and K 2 to set and 5 = K m. equation (2). The verification time 
for Z and T becomes 4/i -|- G {nK 2 for each and, overall, the 

Verifier thus runs now in time bounded by: 

8^ + o(^(nK2 + n^^+n^'^+n^y (3) 


K 6 

= 4/r -I- G ( nK 2 -I- n— n— 
K 2 A 


( 2 ) 
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With K 2 = Ki = K = , the optimal values should equal 1 + 02 = 
1 + Qfi — 02 = 1 + /3 — Q!i = 2 — /3, or differently written, 2 q !2 — oi = 0; —02 + 
2ai — P = 0; —oi + 2,3 = 1. This yields [02 = 1/4, = 1/2,/3 = 3/4], so that 

K 2 = Ki = rp!'^^ K = and the complexity is bounded: 

8m + 0 . 

As previously, the size of the certificate is also reduced to O and the 

extra work for the Prover is increased to O (/in^/^), still negligible with respect 
to O {fin). 

More generally, for any fc, we have 


'2 -1 0 0 ... O ' 

-1 2 -1 0 ... 0 


1 

P P 

1 1 

OJ to 

_1 


1 

... 0 

_ 1 

0 ■■. : 

: ■■. ■■. 0 

0 ... 0 - 12-1 

0 . 0-12 


0-2 

0-1 

p 

— 

1 

0 . 

1 _ 


For L a unit lower triangular matrix, the latter gives, via Gaussian elimination 
without pivoting: 


2 -1 

0 

0 

O' 




■ 0 ■ 


■ 0 ■ 

0 § 

-1 

0 

0 


Oik -2 





2 



Oik -3 





0 

4 

3 


0 


Oi 2 

= L-^ 


= 


0 ... 

0 

0 

k —1 -I 

k -2 


Oil 


0 


0 

0 ... 


0 

0 — 

^ k-l J 


P 


1 


_ 1 _ 


So that the solution is: 

[ afc _2 afe-3 ... a 2 ai /3 ] = [ i I ... ^ ^ ] ( 6 ) 

Thus = n^+»k-3-o‘k-2 = ... = „i+/3-«i = ^ 

The size of the certificate is thus O the time for the Verifier is 

2^fi + 0 and the extra work for the Prover becomes X]t=i = 

O still negligible with O {fin). 

5 // log(n) + nlog^(n) certificate 

The same idea actually gives rise to a certificate verifiable with only log 2 (n) 
matrix-vector products: use a recursive certificate with K = 5/2. 
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We first need to separate the interactive protocol of Section 4.2 into atomic 
parts: a recursive interactive protocol for certifying a single vector corresponding 
to a large power of A times an initial vector and a combination of mutually 
recursive protocols for the sequence. 

5.1 Certificate for the large powers 

We want here to certify that Z ='= A^V. For this we will need to check 
successive powers of two. 

5.1.1 Certificate for the large powers with a logarithmic number of 
matrix-vector products 

We define the certificate PowerCertif icate(A, F, d) to be two vectors Z^Zj^ 

that satisfy Z ='= A‘^V and Z /2 == Then checking this certificate is 

shown in algorithm 2. 


Algorithm 2 Logarithmic Interactive recursive check of 
PowerCertificate(A, F, d) 

Require: Matrix A G F”^", vector F € F", exponent d; 

Require: A pair of vectors Z^Z = PowerCertif icate(A, F, d). 

Ensure: Z ='= A‘^V and Z/2 == AL'^/^JF. 

1; if d == 1 then 

2: return Z/2 == F and Z == AV. 

3: else 

4: Uniformly sample IF € F”; 

5 : Request (F, F/2) = PowerCertif icate(A^, W, [d/2j) and recursively 

check it; 

6: if d is even then 

7 : return lF^F/2 == Y^V and W'^Z == Y^Z/2 

8: else 

9: return Z12 ==Y^V and W'^ Z == Y^{AZ/2). 

10: end if 

11: end if 


Lemma 3. Algorithm 2 is sound and perfectly complete. It requires log 2 (d) 
rounds, 31og2(d)n communications, 2d/i arithmetic operations for the Prover, 
and less than {p + 8n) log2 (d) + p arithmetic operations for the Verifier. 

Proof. The protocol is perfectly complete by induction: the basis of the in¬ 
duction is given by the case d == 1; then by induction Y = IF, so 

that: 

W'^Z /2 = IF^AL'^/^Jy ^ = F'^F 
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and, if d is even; 


W'^Z = W^A'^V = (VF'^^Ld/2j)(^Ld/2jy) = Y^Z/2 


or, if d is odd: 

W'^Z = W^A^V = ^ Y'^AZ/2. 

The protocol is sound: the Prover produces the commitments Z and Z/ 2 , 
then the Verifier sends a challenge W and the Prover responds with Y. There, 
the Prover has two possibilities, either he returns a correct Y or not. In the 
first case, as W was chosen uniformly at random, there are two sub case, either 
Z /2 is wrong or not. if Z /2 was incorrectly chosen so that Z 12 — is non 

zero, there is 1/|S| chances that its dot-product with W'^ is zero and thus that 

it can pass the W'^Z /2 == V^V check. Conversely, if Z /2 is correct, if Z was 
incorrectly chosen so that Z — Z 12 is non zero, there is 1/|S| chances that 
its dot-product with W'^ is zero. Both tests are not independent but overall 
there are less than 1/|S| chances to pass both of them. In the second case V, Y 
is incorrect but can very well be made to make both latter dot-products zero, for 
any values of Z, Z 12 and W. But if Y is incorrect, it will not pass the recursive 
test if \d/2\ = I, and will pass it only with probability for other values 

of d. Therefore, if Peggy’s commitment was incorrect, the probability that it 
passes all the subsequent tests of Algorithm 2 is less than |S|“^. 

Now, Communication is that of the certificate, the 3 vectors W, Y and 1/2: 
per recursive call, that is 3 log 2 ((i)n. Time complexity for the Verifier satisfies 
{T{d) < T(d/2) + 2*An+n, T(I) = fi}, that is less than {^+8n) log 2 {d)+^. Now 
the cost has been transferred to the prover, who has to compute the sequence 
plus half a sequence, plus a fourth of a sequence, ..., recursively the overall cost 
for the Prover is doubled to 2d^. □ 

5.1.2 Public verifiability of the large po-wer 

Another view of the verihcation of Algorithm 2 can be given as an interactive 
certificate in Figure 1. 

As the challenge is only random samples selected after the commitment 
(and this is true also recursively), Fiat-Shamir heuristic can be used at each 
step [9, 1, 2]: W can be just the result of a cryptographically strong hash 
function on A, V, d, and Z, Z/ 2 - Then any external verifier can simulate the 
whole protocol by recomputing also the hashes. 

5.1.3 Certificate for the large powers with a single matrix-vector 
product 

Actually, algorithm 2 can be made to require a single matrix-vector product. 
The speed up for the verifier is obtained by recursively asking for a little more: 
some arithmetic cost for the Verifier is traded-off with an extra cost for the 
Prover and some extra communications. 
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Peggy 


Victor 

Input 




Commitment 


1 : Z, Zji 


Challenge 

Response 

PowerCert{A^, W, [rf/2J) 

2 : W 

3: y,i/2 

l^eF" 




Recursive check 



if[d = l) 

Y == A'^W,Yi2 == AW4w 

W^Z == W^Zi„ == Y'^V 


Figure 1: Interactive certificate for A'^V 


The certificate PowerCertif icate(A, V, d) is modified to be three vectors: 
for any t such that 2* > d, we check A'^V, together with A"^ V and A"^ V. 


Algorithm 3 Interactive recursive check of PowerCertif icate(A, I/, d, 2*) 
Require: Matrix A G vector V G F", exponent d > 2, t such that 2* > d; 

Require: A triple of vectors Zt, Z, Zt-i = PowerCertif icate(A, V, d, 2*). 

Ensure: Zt-i == A^ Eand Z ='= A‘^V and Zt ='= A^ V . 

1: Uniformly sample kF G F"; 

2: if d == 2 then 
3: Compute Y = A'^W; 

4: return W'^Zq ='= Y^V and W^’^Z == Y"^Zq and Zi ='= Z. 

5: else 

6: Request (Yj-i, F, Yt_ 2 ) = PowerCertif icate(A^, R, d — 2*“^, 2*“^) and 

recursively check it; 

7: return ='= F^U and ='= F^Ft_i and R^Fj ='= 

Yt^.^Zt-i. 

8: end if 


Lemma 4. Algorithm 3 is sound and perfectly complete. It requires log 2 (d) 
rounds, 41og2(d)n communications, less than AdpL arithmetic operations 

for the Prover, and less than /i + 8 n + 12n log 2 (d) arithmetic operations for the 
Verifier. 

The proof is similar to that of Lemma 3. 
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5.2 Certificate for the sequence 

Now the idea is to use the protocol of Section 3, with K = S/2, but with the 
computations of Z and T completely delegated. The computation of Z can be 
verified, using either one of the PowerCertif icate(.. .) protocols of Section 5.1. 
Wiedemann’s Krylov sequence and T will then be verified with two distinct 
protocols, mutually recursive: 

• For the sequence, with K = 5/2, the verification loop of point 4e is 
reduced to the verification of two checkpoint vectors {W,W 12 ) and of 
two parts of the sequence S = (s[i]) = {sh,sl)- Thus the data struc¬ 
ture SequenceCertificate(17, 1^, d) is a combination of two vectors 
(W, W/ 2 ), a sequence S = (s[i]) and two other certificates, one for Z: 
PowerCertif icate(A^, X, d/2) and the second one for the linear combina¬ 
tion T: CombinationCertif icate(i?, U, A, d/2), for uniformly sampled X 

and R. The checkpoint vectors satisfy W ='= A'^V and W /2 == , 

7 

and the output sequence satisfies the expected S = (s[f]) = {sh,sl) == 
U'^A^V for i = 0..d. 

• For the delegation of T, it is sufficient to generate a certified sequence with 
another right projection. Thus, CombinationCertif icate(i?, 17, A, d) is 

7 

a combination of the vector T, that must satisfy as expected T ='= 
^ r[i]U'^A'‘ and of another certificate, SequenceCertif icate(17. A, tk, d), 
for a uniformly sampled 'k. 

Checking these two certificates is done by using the following two mutually 
recursive procedures, shown in algorithms 4 and 5. 

Theorem 4. Let A G whose matrix-vector product can be computed in 

less than p > n arithmetic operations and a vector Vq G F”. There exists 
a certificate of size (7(nlog(n)) for the d -I- 1 first elements of Wiedemann’s 
Krylov sequence associated to A and Vq. This certificate can be checked using 
the protocol of Algorithm /. Depending on the PowerCertif icate{...) routine 
chosen, the constant factor of this size and the Prover and Verifier arithmetic 
complexity bounds for this protocol are given in table 3. 


Power 

Certificate 

Verifier 

Extra 

Communication 

Prover 

§ 5.1.1 
§ 5.1.3 

^p\ogi{n) An\ogi{n) 
p\og2{n) -P 6nlog2(n) 

|nlog2(n) 

2n logl{n) 

5W{n) 

Twin) 


Table 3: Dominant terms of the complexity bounds for the verification of Wiede¬ 
mann’s Krylov sequence depending on the certification of Z ='= A'^V. 


Proof. The protocol is sound and perfectly complete by induction on the size 
of sequence: the case d == 1 in Algorithm 4 gives the base of the induction; 
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Algorithm 4 Interactive check of SequenceCertif icate([/, A, y, d) 

Require: Matrix A € F"^", two vectors U,V G F", sequence length d+1 with 

d> 2; 

Require: A pair of vectors W,W /2 G F"; 

Require: A sequence (s[*]) G F‘^+^. 

Ensure: W = I" 2 1 y and W /2 = ATal]/; 

Ensure: s[i] == U'^A^V for i = 0..d. 

1: if d==2 then 

2: return s[0] ='= and IE /2 == AV and s[l] ='= U'^W /2 and 

W == AW 12 and s[2] == U'^W. 

3: else 

4: Uniformly sample A G F”; 

5: Ask for {Z, ■ ■ ■) = PowerCertif icate(A^, A, \d/2\) and check it; 

6: Let first ^ X'^W /2 ='= Z'^V; 

7: Let second ^ A^kU ='= Z'^W/ 2 ', 

8: Uniformly sample i? G F I" 2 1“''^; 

9: Ask for (T, ...) = CombinationCertif icate(R, U, A, \^~\) and check it; 

10: Let SL = (s[0],..., s [[f]]) and third •«— sl =’= T'^W/ 2 ', 

11: Let sh = (s [[f J] ! • ■ ■! sM]) and fourth ^ RFsh == T'^W] 

12: return first and second and third and fourth. 

13: end if 


then the four explicit checks are correct thanks to Lemma 1 and sound thanks 
to Theorem 2; PowerCertif icate(. ..) is correct and sound by Lemma 3 or 
Lemma 4; and CombinationCertif icate(. ..) is correct and sound, first by 
induction on SequenceCertif icate(.. .) with half the initial size, and second, 
since the explicit check is correct and sound by Theorem 3. 

Complexity for the Verifier of the SequenceCertif icate(. ..) sequence sat¬ 
isfies 

{SequenceCertif icate((i) = PowerCertif icate((i/2) 

+ CombinationCertif icate(d/2) + 12n + 2d, 
SequenceCertif icate(2)31 = 2/r -P 6n}. 

Complexity for the Verifier of T satisfies (CombinationCertif icate(a;) = 
SequenceCertif icate(a;) + 2n + 2x}. 

With PowerCertif icate(a:) = (/i -p 8 n)log 2 (x) -P (see Lemma 3), the 
dominant terms of the complexity bound for the Verifier is thus: 

SequenceCertificate((i) = —filog^id) -p4nlog2(d) 

Similarly, with PowerCertif icate(a;) = p(-p 8 n-Pl 2 nlog 2 (a;)-Ppi (see Lemma 4) 
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Algorithm 5 Interactive check of CombinationCertif icate(i?, [/, A, d) 

Require: Matrix A G two vectors R G and U G F", sequence 

length d + 1 ; 

Require: A vector T € F". 

Ensure: T =’= 

1 : Uniformly sample G F”; 

2 : Ask for (r, ...) = SequenceCertif icate([/, A, 4', d) and check it; 

3: return R^T ='= T^'. 


we get: 

SequenceCertif icate(d) = ^log 2 (d) + 6 nlog 2 (d) 

With d = 2n we obtain the Verifier column of Table 3. 

Similarly, communication is dominated either by |nlog 2 (d) or 2 nlog 2 (d). 

The Prover has to compute the Krylov space and the Krylov sequence plus 
the work for Z, the work for T and the recursive calls: P{d) = {dfi + 2dn) + 
PowerCertif icate(d/2)+((d/2)/r + 2(d/2)n + P(d/2)), so that the overall extra 
cost for the Prover is dominated by either 5d/r + 6dn or 7d/i + 6 dn. For d = 2n, 
the cost for the Prover without verification is W{{)n) = 2n^+4n^, which induces 
the last column of Table 3. □ 

6 Certificate for the determinant, the minimal 
and the characteristic polynomials 

We denote by SeqCert a certificate for Wiedemann’s Krylov sequence. This 
can be for instance any of the subquadratic certificate of Sections 3, 4 or 5. 

This induces directly a certificate for the minimal polynomial of a sequence: 
the Prover just produces the sequence, and the Verifier computes by himself the 
minimal polynomial of the sequence via the fast extended Euclidean algorithm 
(EEA). In a sufficiently large field, Wiedemann has shown that this in turn in¬ 
duces a certificate for the minimal polynomial of a matrix, MinPoly. In smaller 
fields one would need to use a certificate for a Block Wiedemann sequence, and 
maybe some variants of the certificate of Section 3.5. Then a certificate for the 
determinant, Det, is obtained via Wiedemann’s preconditioning, PreCond- 
Cyc, insuring the square-freeness of the characteristic polynomial. Finally, to 
get a certificate for the characteristic polynomial of a matrix, CharPoly, first 
ask for the characteristic polynomial, and then it is sufficient to certify the 
determinant at a random point. 

We propose in Table 4 a summary of the reductions presented in this section. 
The details of these reductions and the proofs of the complexity claims shown 
in Table 4 are given in Theorems 5, 6 and 7. 
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MinPoly 

Verifier 

Verify(SEQCERT)-|-EEA 

Communication 

Communicate (S EQ C ert)- 1-2n 

Prover 

Compute(SEQCERT) 

Det 

Verifier 

Verifier (MinPoly) 

Communication 

Communicate(MiNPOLY-l-PRECONDCYC) 

Prover 

Compute(MiNPOLY-l-PRECONDCYC) 

CharPoly 

Verifier 

Verify (DET)-|-2n 

Communication 

Communicate(DET)-|-n 

Prover 

Compute (C H arP oly ) -I- Compute ( Det) 


Table 4: Summary of the complexity reductions for the certification of the 
determinant, the minimal and the characteristic polynomials of sparse matrices 


6.1 MinPoly 

Theorem 5 ([21]). Certifying the minimal polynomial can he reduced to the 
certification of Wiedemann’s Krylov sequence. 

Proof. The minimal polynomial of a linearly recurrent sequence can be com¬ 
puted by the fast Euclidean algorithm, see, e.g., [20, Theorem 12.10]. Then 
Wiedemann’s analysis shows that in a sufficiently large field the minimal poly¬ 
nomial of a matrix can be recovered by computing the lowest common multiple 
of the minimal polynomial of sequences obtained by random projections [ 21 , 
Proposition 4]. 

Therefore, the work of the Prover is just that of computing minimal poly¬ 
nomials of sequences at given vector projections. Communication is that of the 
two vector projections, 2n. Finally the work of the Verifier is to verify the cer¬ 
tificate for the sequence and then to apply the fast Euclidean algorithm, at cost 
7 ji+o(i)^ to recover the minimal polynomial by himself. □ 

6.2 Det 

Theorem 6 ([21]). Certifying the determinant can be reduced to the certification 
of the minimal polynomial. 

Proof. We use the idea of [21, Theorem 2]: precondition the initial matrix A into 
a modified matrix B whose characteristic polynomial is square-free, and whose 
determinant is an easily computable modification of that of A. For instance, 
such a PreCondCyc preconditioner can be a diagonal matrix if the field is 
sufficiently large [4, Theorem 4.2] Precondition to get a square-free charpoly [21, 
Theorem 2] and then certify the associated minpoly. □ 
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6.3 CharPoly 


Theorem 7 ([8]). Certifying the characteristic polynomial can be reduced to the 
certification of the determinant. 

Proof. The reduction is that of [8, Figure 1]: the Prover computes the char¬ 
acteristic polynomial and sends it as a commitment to the Verifier; then the 
Verifier gives a point A as challenge to the Prover which responds with the de¬ 
terminant of XId — A, and a certihcate for that determinant {XId — A remains 
sparse and costs no more than fj, + n to he applied to a vector). Finally, the 
verifier simplify evaluates the commitment at A and checks the equality with 
the certihed determinant. □ 

6.4 Det over Z 

Here the strategy is that of [8, §4.4]: ask for MinPoly, Det, CharPoly over Z. 
After the commitment, the Verifier chooses a not so large prime, and ask for 
a certificate of that same problem modulo the prime. Then the Verifier checks 
the certificate, and checks coherency with the integral counterpart. On the 
one hand, the minimal and characteristic polynomial over Z already occupy a 
quadratic space, so that taking modular images is already quadratic. On the 
other hand, for the determinant, this gives a linear time Verifier. 
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